0

as a part of effort to integrate buffalo NAS terrastation pro with our AD, we found out that following changes need to be made in the Group policy;

The following need to be altered in Domain-> Windows Setttings->Security Settings->Local Policies-> Security Options.

Microsoft Network Server: Digitally Sign Communications(always) (Needs to be Disabled, currently its Not Defined)

Network Security: Lan Manager Authentication Level(needs to be altered from Not Defined to Ntlm2 negotiate if needed)

My questions are , is it worthy/risky to change the policy for the domain for couple of NAS servers?

Second one , can they be changed on the individual DC's(probably via SECPOL) since we will be pointing the NAs to only 1 DC?

Darktux
  • 827
  • 5
  • 21
  • 36
  • If you have a NAS that's only offering file services to a single client, why wouldn't you just use a DAS? – MDMarra Nov 15 '12 at 15:14
  • @MDMarra: He's not talking about having one client-- he's talking about how the NAS has a "hard coded" DC used for passthru authentication (it doesn't use the DC locator protocol). They're really, really poor devices in terms of their AD integration. – Evan Anderson Nov 15 '12 at 15:16
  • ...ohhhhh. Yeah, that's ugly. – MDMarra Nov 15 '12 at 15:17

1 Answers1

1

I am familiar with these devices and these particular changes. These settings do compromise security somewhat. I don't know that the practical risk is much better than the already sorry state of NTLMv2 and hash-based attacks, but it does increase risk somewhat. It would be nice if Buffalo spent some money addressing the need to downgrade security to support their devices.

To your second question: Anything you might do to create different security policy for different Domain Controllers (DCs) would result in an unsupported configuration and I'd advise against trying it. It might be possible to work something out but you'd be on your own re: support if it created oddball behavior.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • We are further planning to introduce more NAS devices into our environment, do you know of any such devices simmilar to Terastation Pro which have very good AD Integration options? – Darktux Nov 15 '12 at 17:04